Event Log Exchange ActiveSync 1053

[chicagotech]

We are running Exchange 2010 SP1. With a CAS+Hub server and a separate mailbox server. Moved a few users from Exchagne 2003 to the new Exchange 2010 SP1. All works well. Except users with Andriod phones(HTC, Samgsung Glaxy and etc) start report they can no longer sync with Exchange. On one HTC Bravo, I tried with my Exchange 2010 mailbox. It then worked fine. Tried another Exchange 2010 user's mailbox on it. Failed to sync. By checking eventlog on the CAS server, discovered following event:

Exchange ActiveSync, EventID 1053

Log Name: Application
Source: MSExchange ActiveSync
Date: 8/08/2011 10:12:39 AM
Event ID: 1053
Task Category: Configuration
Level: Error
Keywords: Classic
User: N/A
Computer: CONTOSO-CAS01.Contoso.int
Description:
Exchange ActiveSync doesn't have sufficient permissions to create the "CN=Tom Smith,OU=MySite, DC=CONTOSO,DC=int" container under Active Directory user "Active Directory operation failed on CONTOSO-dc01.CONTOSO.int. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
".
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchangeActiveSyncDevices" and doesn't have any deny permissions that block such operations.

Details:%3
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchange ActiveSync" />
<EventID Qualifiers="49156">1053</EventID>
<Level>2</Level>
<Task>2</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-08-08T00:12:39.000000000Z" />
<EventRecordID>29825</EventRecordID>
<Channel>Application</Channel>
<Computer>CONTOSO-CAS01.CONTOSO.int</Computer>
<Security />
</System>
<EventData>
<Data>CN=Tom Smith,OU=MySite,DC=CONTOSO,DC=int</Data>
<Data>Active Directory operation failed on CONTOSO-dc01.CONTOSO.int. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03151E04, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
</Data>
</EventData>
</Event>

The fix for this issue is kind easy: Tick the Inherint permission box for that particular user. As mentioned in number of sites:

http://blog.nick.mackechnie.co.nz/post/ ... Issue.aspx
http://www.wardvissers.nl/2010/08/25/yo ... issions-t/

https://d1it.wordpress.com/2011/01/27/a ... on-errors/
http://www.reborndigital.com/?p=17

However, it will be a hideous job to do for all Andriod users... Is there a better fix/way?

[chicagotech]

Inherited permissions should always be enabled for all your users. Its the default. (except those that are members of elevated groups)

If its not, then you are mailbox-enabling accounts that are members of elevated security groups and that is not recommended. (or someone has gone around in the past and disabled inheritance)